@knocklabs/cli 0.1.23 → 0.2.0

package/bin/dev.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node_modules/.bin/ts-node
 // eslint-disable-next-line node/shebang, unicorn/prefer-top-level-await
-;(async () => {
-  const oclif = await import('@oclif/core')
-  await oclif.execute({development: true, dir: __dirname})
-})()
+(async () => {
+  const oclif = await import("@oclif/core");
+  await oclif.execute({ development: true, dir: __dirname });
+})();

package/dist/commands/knock.js

@@ -112,6 +112,9 @@ class Knock extends _basecommand.default {
         this.log("");
         this.log("Thank you for using Knock, and have a nice day! 🙂");
     }
+    constructor(...args){
+        super(...args), _define_property(this, "requiresAuth", false);
+    }
 }
 // Because, it's a secret :)
 _define_property(Knock, "hidden", true);

package/dist/commands/login.js

@@ -0,0 +1,50 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "default", {
+    enumerable: true,
+    get: function() {
+        return Login;
+    }
+});
+const _auth = /*#__PURE__*/ _interop_require_default(require("../lib/auth"));
+const _basecommand = /*#__PURE__*/ _interop_require_default(require("../lib/base-command"));
+const _ux = require("../lib/helpers/ux");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+class Login extends _basecommand.default {
+    async run() {
+        const { flags } = this.props;
+        if (flags["service-token"]) {
+            this.log("Service token provided, skipping login.");
+            return;
+        }
+        _ux.spinner.start("‣ Authenticating with Knock...");
+        const resp = await _auth.default.waitForAccessToken(this.sessionContext.dashboardOrigin, this.sessionContext.authOrigin);
+        _ux.spinner.stop();
+        await this.configStore.set({
+            userSession: resp
+        });
+        this.log("‣ Successfully authenticated with Knock.");
+    }
+    constructor(...args){
+        super(...args), _define_property(this, "requiresAuth", false);
+    }
+}

package/dist/commands/logout.js

@@ -0,0 +1,48 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "default", {
+    enumerable: true,
+    get: function() {
+        return Logout;
+    }
+});
+const _basecommand = /*#__PURE__*/ _interop_require_default(require("../lib/base-command"));
+const _ux = require("../lib/helpers/ux");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+class Logout extends _basecommand.default {
+    async run() {
+        const { flags } = this.props;
+        if (flags["service-token"]) {
+            this.log("Service token provided, skipping logout.");
+            return;
+        }
+        _ux.spinner.start("‣ Logging out of Knock...");
+        await this.configStore.set({
+            userSession: undefined
+        });
+        _ux.spinner.stop();
+        this.log("‣ Successfully logged out of Knock. See you around.");
+    }
+    constructor(...args){
+        super(...args), _define_property(this, "requiresAuth", false);
+    }
+}

package/dist/commands/whoami.js

@@ -34,10 +34,14 @@ class Whoami extends _basecommand.default {
         const resp = await (0, _request.withSpinner)(()=>this.apiV1.whoami());
         const { flags } = this.props;
         if (flags.json) return resp.data;
-        this.log(`‣ Successfully verified the provided service token:`);
-        const info = [
+        this.log(`‣ Successfully authenticated:`);
+        let info = [];
+        info = resp.data.service_token_name ? [
             `Account name: ${resp.data.account_name}`,
             `Service token name: ${resp.data.service_token_name}`
+        ] : [
+            `Account name: ${resp.data.account_name}`,
+            `User ID: ${resp.data.user_id}`
         ];
         this.log((0, _string.indentString)(info.join("\n"), 4));
     }

package/dist/lib/api-v1.js

@@ -29,9 +29,11 @@ function _interop_require_default(obj) {
         default: obj
     };
 }
-const DEFAULT_ORIGIN = "https://control.knock.app";
 const API_VERSION = "v1";
 class ApiV1 {
+    getToken(sessionContext) {
+        return sessionContext.session ? sessionContext.session.accessToken : sessionContext.token;
+    }
     async ping() {
         return this.get("/ping");
     }
@@ -401,13 +403,20 @@ class ApiV1 {
     async put(subpath, data, config) {
         return this.client.put(`/${API_VERSION}` + subpath, data, config);
     }
-    constructor(flags, config){
+    constructor(sessionContext, config){
+        var _sessionContext_session;
         _define_property(this, "client", void 0);
-        const baseURL = flags["api-origin"] || DEFAULT_ORIGIN;
+        const baseURL = sessionContext.apiOrigin;
+        const token = this.getToken(sessionContext);
+        var _sessionContext_session_clientId;
         this.client = _axios.default.create({
             baseURL,
             headers: {
-                Authorization: `Bearer ${flags["service-token"]}`,
+                // Used to authenticate the request to the API.
+                Authorization: `Bearer ${token}`,
+                // Used in conjunction with the JWT access token, to allow the OAuth server to
+                // verify the client ID of the OAuth client that issued the access token.
+                "x-knock-client-id": (_sessionContext_session_clientId = (_sessionContext_session = sessionContext.session) === null || _sessionContext_session === void 0 ? void 0 : _sessionContext_session.clientId) !== null && _sessionContext_session_clientId !== void 0 ? _sessionContext_session_clientId : undefined,
                 "User-Agent": `${config.userAgent}`
             },
             // Don't reject the promise based on a response status code.

package/dist/lib/auth.js

@@ -0,0 +1,256 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get default () {
+        return _default;
+    },
+    get exchangeCodeForToken () {
+        return exchangeCodeForToken;
+    },
+    get getOAuthServerUrls () {
+        return getOAuthServerUrls;
+    },
+    get refreshAccessToken () {
+        return refreshAccessToken;
+    },
+    get registerClient () {
+        return registerClient;
+    },
+    get waitForAccessToken () {
+        return waitForAccessToken;
+    }
+});
+const _nodecrypto = /*#__PURE__*/ _interop_require_default(require("node:crypto"));
+const _nodehttp = /*#__PURE__*/ _interop_require_default(require("node:http"));
+const _browser = require("./helpers/browser");
+const _urls = require("./urls");
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+const DEFAULT_TIMEOUT = 5000;
+function createChallenge() {
+    // PKCE code verifier and challenge
+    const codeVerifier = _nodecrypto.default.randomBytes(32).toString("base64url");
+    const codeChallenge = _nodecrypto.default.createHash("sha256").update(codeVerifier).digest("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+    const state = _nodecrypto.default.randomUUID();
+    return {
+        codeVerifier,
+        codeChallenge,
+        state
+    };
+}
+async function getOAuthServerUrls(apiUrl) {
+    const { protocol, host } = new URL(apiUrl);
+    const wellKnownUrl = `${protocol}//${host}/.well-known/oauth-authorization-server`;
+    const response = await fetch(wellKnownUrl, {
+        signal: AbortSignal.timeout(DEFAULT_TIMEOUT)
+    });
+    if (response.ok) {
+        const data = await response.json();
+        return {
+            registrationEndpoint: data.registration_endpoint,
+            authorizationEndpoint: data.authorization_endpoint,
+            tokenEndpoint: data.token_endpoint,
+            issuer: data.issuer
+        };
+    }
+    throw new Error("Failed to fetch OAuth server metadata");
+}
+async function registerClient(registrationEndpoint, redirectUri) {
+    const registrationResponse = await fetch(registrationEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+            client_name: "Knock CLI",
+            token_endpoint_auth_method: "none",
+            grant_types: [
+                "authorization_code"
+            ],
+            response_types: [
+                "code"
+            ],
+            redirect_uris: [
+                redirectUri
+            ]
+        }),
+        signal: AbortSignal.timeout(DEFAULT_TIMEOUT)
+    });
+    if (!registrationResponse.ok) {
+        console.log(await registrationResponse.json());
+        throw new Error(`Could not register client with OAuth server`);
+    }
+    const registrationData = await registrationResponse.json();
+    return registrationData.client_id;
+}
+async function parseTokenResponse(response) {
+    const data = await response.json();
+    return {
+        accessToken: data.access_token,
+        refreshToken: data.refresh_token,
+        idToken: data.id_token,
+        expiresAt: new Date(Date.now() + data.expires_in * 1000)
+    };
+}
+async function exchangeCodeForToken(params) {
+    const response = await fetch(params.tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+            grant_type: "authorization_code",
+            client_id: params.clientId,
+            code: params.code,
+            code_verifier: params.codeVerifier,
+            redirect_uri: params.redirectUri
+        }),
+        signal: AbortSignal.timeout(5000)
+    });
+    if (!response.ok) {
+        let errorDescription;
+        try {
+            const errorResponse = await response.json();
+            errorDescription = errorResponse.error_description || errorResponse.error;
+        } catch  {
+        // ignore
+        }
+        return {
+            error: errorDescription !== null && errorDescription !== void 0 ? errorDescription : "unknown error"
+        };
+    }
+    return {
+        ...await parseTokenResponse(response),
+        clientId: params.clientId
+    };
+}
+async function refreshAccessToken(params) {
+    const { tokenEndpoint } = await getOAuthServerUrls(params.authUrl);
+    const response = await fetch(tokenEndpoint, {
+        method: "POST",
+        headers: {
+            "Content-Type": "application/x-www-form-urlencoded"
+        },
+        body: new URLSearchParams({
+            grant_type: "refresh_token",
+            client_id: params.clientId,
+            refresh_token: params.refreshToken
+        }),
+        signal: AbortSignal.timeout(5000)
+    });
+    if (!response.ok) {
+        throw new Error("Failed to refresh access token");
+    }
+    return {
+        ...await parseTokenResponse(response),
+        clientId: params.clientId
+    };
+}
+async function waitForAccessToken(dashboardUrl, authUrl) {
+    const { authorizationEndpoint, tokenEndpoint, registrationEndpoint } = await getOAuthServerUrls(authUrl);
+    let resolve;
+    let reject;
+    const promise = new Promise((res, rej)=>{
+        resolve = res;
+        reject = rej;
+    });
+    const { codeVerifier, codeChallenge, state } = createChallenge();
+    const timeout = setTimeout(()=>{
+        cleanupAndReject(`authentication timed out after ${DEFAULT_TIMEOUT / 1000} seconds`);
+    }, 60000);
+    function cleanupAndReject(message) {
+        cleanup();
+        reject(new Error(`Could not authenticate: ${message}`));
+    }
+    function cleanup() {
+        clearTimeout(timeout);
+        server.close();
+        server.closeAllConnections();
+    }
+    const server = _nodehttp.default.createServer();
+    server.listen();
+    const address = server.address();
+    if (address === null || typeof address !== "object") {
+        throw new Error("Could not start server");
+    }
+    const callbackPath = "/oauth_callback";
+    const redirectUri = `http://localhost:${address.port}${callbackPath}`;
+    const clientId = await registerClient(registrationEndpoint, redirectUri);
+    const params = {
+        response_type: "code",
+        client_id: clientId,
+        redirect_uri: redirectUri,
+        state,
+        code_challenge: codeChallenge,
+        code_challenge_method: "S256",
+        scope: "openid email offline_access"
+    };
+    const browserUrl = `${authorizationEndpoint}?${new URLSearchParams(params).toString()}`;
+    server.on("request", async (req, res)=>{
+        if (!clientId || !redirectUri) {
+            res.writeHead(500).end("Something went wrong");
+            cleanupAndReject("something went wrong");
+            return;
+        }
+        var _req_url;
+        const url = new URL((_req_url = req.url) !== null && _req_url !== void 0 ? _req_url : "/", "http://127.0.0.1");
+        if (url.pathname !== callbackPath) {
+            res.writeHead(404).end("Invalid path");
+            cleanupAndReject("invalid path");
+            return;
+        }
+        const error = url.searchParams.get("error");
+        if (error) {
+            res.writeHead(400).end("Could not authenticate");
+            const errorDescription = url.searchParams.get("error_description");
+            cleanupAndReject(`${errorDescription || error} `);
+            return;
+        }
+        const code = url.searchParams.get("code");
+        if (!code) {
+            res.writeHead(400).end("Could not authenticate");
+            cleanupAndReject("no code provided");
+            return;
+        }
+        const response = await exchangeCodeForToken({
+            tokenEndpoint,
+            clientId,
+            code,
+            codeVerifier,
+            redirectUri
+        });
+        if ("error" in response) {
+            res.writeHead(302, {
+                location: (0, _urls.authErrorUrl)(dashboardUrl, "Could not authenticate: unable to fetch access token")
+            }).end("Could not authenticate");
+            cleanupAndReject(JSON.stringify(response.error));
+            return;
+        }
+        res.writeHead(302, {
+            location: (0, _urls.authSuccessUrl)(dashboardUrl)
+        }).end("Authentication successful");
+        cleanup();
+        resolve({
+            ...response,
+            clientId
+        });
+    });
+    console.log(`Opened web browser to facilitate auth: ${browserUrl}`);
+    _browser.browser.openUrl(browserUrl);
+    return promise;
+}
+const _default = {
+    waitForAccessToken,
+    refreshAccessToken
+};

package/dist/lib/base-command.js

@@ -10,8 +10,10 @@ Object.defineProperty(exports, "default", {
 });
 const _core = require("@oclif/core");
 const _apiv1 = /*#__PURE__*/ _interop_require_default(require("./api-v1"));
+const _auth = /*#__PURE__*/ _interop_require_default(require("./auth"));
 const _runcontext = /*#__PURE__*/ _interop_require_wildcard(require("./run-context"));
-const _userconfig = /*#__PURE__*/ _interop_require_default(require("./user-config"));
+const _urls = require("./urls");
+const _userconfig = require("./user-config");
 function _define_property(obj, key, value) {
     if (key in obj) {
         Object.defineProperty(obj, key, {
@@ -71,24 +73,97 @@ function _interop_require_wildcard(obj, nodeInterop) {
     }
     return newObj;
 }
+function sessionWithDefaultOrigins(sessionContext) {
+    var _sessionContext_apiOrigin, _sessionContext_dashboardOrigin, _sessionContext_authOrigin;
+    return {
+        ...sessionContext,
+        apiOrigin: (_sessionContext_apiOrigin = sessionContext.apiOrigin) !== null && _sessionContext_apiOrigin !== void 0 ? _sessionContext_apiOrigin : _urls.DEFAULT_API_URL,
+        dashboardOrigin: (_sessionContext_dashboardOrigin = sessionContext.dashboardOrigin) !== null && _sessionContext_dashboardOrigin !== void 0 ? _sessionContext_dashboardOrigin : _urls.DEFAULT_DASHBOARD_URL,
+        authOrigin: (_sessionContext_authOrigin = sessionContext.authOrigin) !== null && _sessionContext_authOrigin !== void 0 ? _sessionContext_authOrigin : _urls.DEFAULT_AUTH_URL
+    };
+}
 class BaseCommand extends _core.Command {
     async init() {
         await super.init();
+        this.configStore = new _userconfig.UserConfigStore(this.config.configDir);
         // 1. Load user's config from the config dir, as available.
-        await _userconfig.default.load(this.config.configDir);
+        await this.configStore.load();
         // 2. Parse flags and args, must come after the user config load.
         const { args, flags } = await this.parse(this.ctor);
         this.props = {
             args: args,
             flags: flags
         };
-        // 3. Instantiate a knock api client.
-        this.apiV1 = new _apiv1.default(this.props.flags, this.config);
-        // 4. Load the run context of the invoked command.
+        // 3. Build the initial session context.
+        this.sessionContext = this.buildSessionContext();
+        // 4. If the command requires authentication, ensure the session is authenticated.
+        if (this.requiresAuth) {
+            this.ensureAuthenticated();
+        }
+        // 5. If the session context is an OAuth session, refresh the access token.
+        if (this.sessionContext.type === "oauth") {
+            await this.refreshAccessTokenForSession();
+        }
+        // 6. Instantiate a knock api client.
+        this.apiV1 = new _apiv1.default(this.sessionContext, this.config);
+        // 7. Load the run context of the invoked command.
         this.runContext = await _runcontext.load(this.id);
     }
+    buildSessionContext() {
+        const userConfig = this.configStore.get();
+        const session = userConfig.userSession;
+        // If the user has a session and a service token is not provided, use the session.
+        if (session && !this.props.flags["service-token"]) {
+            var _this_props_flags_apiorigin;
+            return sessionWithDefaultOrigins({
+                type: "oauth",
+                session,
+                apiOrigin: (_this_props_flags_apiorigin = this.props.flags["api-origin"]) !== null && _this_props_flags_apiorigin !== void 0 ? _this_props_flags_apiorigin : userConfig.apiOrigin,
+                dashboardOrigin: userConfig.dashboardOrigin,
+                authOrigin: userConfig.authOrigin
+            });
+        }
+        var _this_props_flags_servicetoken, _this_props_flags_apiorigin1;
+        // Otherwise, default to this being a service token session.
+        return sessionWithDefaultOrigins({
+            type: "service",
+            token: (_this_props_flags_servicetoken = this.props.flags["service-token"]) !== null && _this_props_flags_servicetoken !== void 0 ? _this_props_flags_servicetoken : userConfig.serviceToken,
+            apiOrigin: (_this_props_flags_apiorigin1 = this.props.flags["api-origin"]) !== null && _this_props_flags_apiorigin1 !== void 0 ? _this_props_flags_apiorigin1 : userConfig.apiOrigin,
+            dashboardOrigin: userConfig.dashboardOrigin,
+            authOrigin: userConfig.authOrigin
+        });
+    }
+    ensureAuthenticated() {
+        if (this.sessionContext.type === "service" && !this.sessionContext.token || this.sessionContext.type === "oauth" && !this.sessionContext.session) {
+            this.error("No token found. Refusing to run command.");
+        }
+    }
+    async refreshAccessTokenForSession() {
+        // Maybe refresh the access token?
+        try {
+            var _this_sessionContext_session, _this_sessionContext_session1;
+            var _this_sessionContext_session_clientId, _this_sessionContext_session_refreshToken;
+            const refreshedSession = await _auth.default.refreshAccessToken({
+                authUrl: this.sessionContext.authOrigin,
+                clientId: (_this_sessionContext_session_clientId = (_this_sessionContext_session = this.sessionContext.session) === null || _this_sessionContext_session === void 0 ? void 0 : _this_sessionContext_session.clientId) !== null && _this_sessionContext_session_clientId !== void 0 ? _this_sessionContext_session_clientId : "",
+                refreshToken: (_this_sessionContext_session_refreshToken = (_this_sessionContext_session1 = this.sessionContext.session) === null || _this_sessionContext_session1 === void 0 ? void 0 : _this_sessionContext_session1.refreshToken) !== null && _this_sessionContext_session_refreshToken !== void 0 ? _this_sessionContext_session_refreshToken : ""
+            });
+            this.debug("Successfully refreshed access token.");
+            // Update the user config to use the new session.
+            await this.configStore.set({
+                userSession: refreshedSession
+            });
+            // Update the session context to use the new session.
+            this.sessionContext = this.buildSessionContext();
+        } catch  {
+            this.debug("Failed to refresh access token, clearing session.");
+            await this.configStore.set({
+                userSession: undefined
+            });
+        }
+    }
     constructor(...args){
-        super(...args), _define_property(this, "props", void 0), _define_property(this, "apiV1", void 0), _define_property(this, "runContext", void 0);
+        super(...args), _define_property(this, "props", void 0), _define_property(this, "apiV1", void 0), _define_property(this, "runContext", void 0), _define_property(this, "sessionContext", void 0), _define_property(this, "configStore", void 0), _define_property(this, "requiresAuth", true);
     }
 }
 // Base flags are inherited by any command that extends BaseCommand.
@@ -99,17 +174,15 @@ _define_property(BaseCommand, "baseFlags", {
     // - if not available, fall back to user config
     "service-token": _core.Flags.string({
         summary: "The service token to authenticate with.",
-        required: true,
+        required: false,
         multiple: false,
-        env: "KNOCK_SERVICE_TOKEN",
-        default: async ()=>_userconfig.default.get().serviceToken
+        env: "KNOCK_SERVICE_TOKEN"
     }),
-    // Hidden flag to use a different api base url for development purposes.
+    // Hidden flags to use a different api url for development purposes.
     "api-origin": _core.Flags.string({
         hidden: true,
         required: false,
-        multiple: false,
-        default: async ()=>_userconfig.default.get().apiOrigin
+        multiple: false
     })
 });
 const _default = BaseCommand;

package/dist/lib/helpers/browser.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "browser", {
+    enumerable: true,
+    get: function() {
+        return browser;
+    }
+});
+const _open = /*#__PURE__*/ _interop_require_default(require("open"));
+function _interop_require_default(obj) {
+    return obj && obj.__esModule ? obj : {
+        default: obj
+    };
+}
+const browser = {
+    /**
+   * Opens a URL in the default browser
+   * @param url The URL to open
+   * @returns A promise that resolves when the URL is opened
+   */ async openUrl (url) {
+        await (0, _open.default)(url);
+    }
+};

package/dist/lib/types.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});

package/dist/lib/urls.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get DEFAULT_API_URL () {
+        return DEFAULT_API_URL;
+    },
+    get DEFAULT_AUTH_URL () {
+        return DEFAULT_AUTH_URL;
+    },
+    get DEFAULT_DASHBOARD_URL () {
+        return DEFAULT_DASHBOARD_URL;
+    },
+    get authErrorUrl () {
+        return authErrorUrl;
+    },
+    get authSuccessUrl () {
+        return authSuccessUrl;
+    }
+});
+const DEFAULT_DASHBOARD_URL = "https://dashboard.knock.app";
+const DEFAULT_AUTH_URL = "https://signin.knock.app";
+const DEFAULT_API_URL = "https://control.knock.app";
+const authSuccessUrl = (dashboardUrl)=>`${dashboardUrl}/auth/oauth/cli`;
+const authErrorUrl = (dashboardUrl, error)=>`${dashboardUrl}/auth/oauth/cli?error=${error}`;